Computer system for accessing confidential data by means of at least one remote unit and remote unit

ABSTRACT

A computer system for accessing confidential data via at least one remote unit ( 4 ), the data being stored in a secured centralized computer system ( 3 ) including elements for processing data intended for producing results, a computer connection ( 2 ) being established between the unit and the computer element, the unit being a microcomputer operating under the dependency of a local operating system. The computer connection is an encrypted tunnel connection over a public network, the unit only supporting remote administration, the unit not being operable if the computer connection is not established and, during the access thereof to the data, the unit only receiving display information associated with the process performed on the data and produced by the centralized computer system, the microcomputer of the remote unit also including an electronic encryption circuit, the operating system and the information required for the operation of the unit being stored in encrypted form.

The present invention relates to a computer system for accessing confidential data by means of at least one remote unit, as well as to a remote unit. It has applications in the field of information processing, more particularly for securing confidential data contained in a centralized computer means and that have to be processed by remote users of said centralized computer means.

The invention object of the present patent has been developed in the Groupe des Ecoles Nationales d'Economie et Statistique (GENES—Group of National Schools of Economics and Statistics), attached to the Institut National de la Statistique et des Etudes Economiques (INSEE—National Institute of the Statistics and Economic Studies), attached to the Ministère de l'Economie, de l'Industrie et de l'Emploi (Ministry of Economy, Industry and Employment).

In many industries, commercial enterprises or teaching and/or research public institutions, computer databases exist, containing sensitive information that must remain confidential or, at the very least, that must not be able to be transferred or copied outside the place where it is stored or processed, generally in a computer server. However, users external to the storage place may have to use, via a public computer network, in particular INTERNET©, said information, which is for example individualized data for calculations, researches, etc., in order to produce results from said confidential data, wherein such results must not make it possible to go back to the original individual data.

It is therefore desirable to have a system that makes it possible to access and process such confidential data without even so the user, or even a malicious third party, being capable of recovering, from a remote access, the confidential data contained in a centralized server.

It is also desirable that the architecture of the proposed system can fulfill in good conditions the needs of the users/researchers wanting to work on said sensitive/confidential data. It is therefore necessary to take into account many constraints, such as high security constraints on all the components of the architecture, ergonomic constraints, including in particular an interface and tools for the users/researchers, allowing them to work in good conditions, integration constraints because it is necessary that the system can be integrated into the computer environment of the remote establishments of the users/researchers, whatever they are, and economic constraints.

In practice, the purpose of securing access to sensitive/confidential data is achieved by combining hardware means with software means, notably a specially configured remote unit with notably an encrypted tunnel connection over a public network. It is herein proposed, for accessing confidential data, to implement a particular equipment in a remote station, which is a dedicated and locked “black box” within a particular hardware and software architecture.

On the other hand, the state of the art in the aimed field of application is based on purely software solutions. And a purely software solution does not answer to the exposed problem:

-   it is less sure because it is based on a non-controlled basis, which     is the remote user's workstation (RUWS). Such system is then exposed     to data leakage that may be accidental or intentional (spy software,     screen scraping system with character recognition . . . ) -   it is more expensive in terms of deployment because the RUWS is not     necessarily compatible, in terms of maintenance because the RUWS     development imposes a redeployment and, conversely, the software     solution development may require updating the RUWS, in terms of     assistance because a modification of the RUWS may lead to     dysfunction of the software solution, etc.

This is such adherence with the remote user's computer environment which explains that a purely software solution does not fulfill the exposed needs. Therefore, the invention proposes a system implementing hardware means making it possible to avoid the above-mentioned drawbacks.

In the field of access control, the system described in US 2007/245409 is known.

Accordingly, the invention relates to a computer system for accessing confidential data by means of at least one remote unit used by a user, the data being stored in a secured centralized computer means comprising means for processing said data, intended for producing results, a computer connection being established between said remote unit and the centralized computer means, the remote unit being a microcomputer operating under the dependency of a local operating system starting by a boot phase.

According to the invention, the system is configured in such a manner that the computer connection is an encrypted tunnel connection over a public network, which is established within the system so that the remote unit is logically integrated into the centralized computer means, in order that said remote unit can only be remotely administered, and so that said unit cannot be operated if the computed connection is not established, the system being further configured in such a manner that, when the data are accessed, said remote unit receives only display information related to the process carried out on the data and produced by the centralized computer means, the microcomputer of the remote station being in the form of an electronic card that further comprises an encryption electronic circuit, the operating system as well as the information required for the operation of said remote unit being stored in encrypted form in said remote unit, and said remote unit is consisted of a sealed unit containing the electronic card and inputs/outputs, including one identification means input/output connected to at least one user identification means, and one computer network input/output intended for the encrypted tunnel connection.

The word “microcomputer” for the remote unit actually covers any programmable device offering a network access and comprising user-interface means.

In various embodiments of the invention, the following means are used, either alone or in any technically possible combination:

-   the remote unit can only be remotely administered by the centralized     computer means, -   the remote unit further comprises a local configuration means that     is accessible and visible by the user, said local configuration     means comprising a display and a set of keys arranged in the unit     and allowing an on-site configuration of local parameters, -   the local parameters that can be configured are, for example,     display configurations, the network address of the unit, -   the public network is an INTERNET© network, -   the remote unit comprises a reduced number of connectable physical     inputs/outputs, -   the connectable physical inputs/outputs are one keyboard     input/output, one input/output for a pointer element, for example a     mouse, one identification means input/output, one display screen     input/output, one computer network input/output intended for the     encrypted tunnel connection, -   the encryption electronic circuit of the unit's electronic card is     of the TPM (“Trusted Platform Module”) type, -   the TPM encryption electronic circuit operates with the BitLocker©     technology, -   the microcomputer electronic card comprises a password-lockable     BIOS, -   the microcomputer electronic card has one or several of the     following characteristics: central memory capacity of at least 2 Go,     VGA and/or DVI graphic display, computer network input/output of at     least 10/100 Mbits/s, two USB inputs/outputs, mass memory of at     least 32 Go (a chip or a mechanical element), -   the computer network input/output is on a RJ45 connector, -   the computer network input/output is compliant with a PXE boot (PXE     stands for “Pre-boot eXecution Environment”: start by the network),     which can be parameterized and activated/deactivated from the     electronic card BIOS, -   the electronic card is based on an industrial PC card of reduced     format, -   the electronic card of the remote unit is of the Mini-ITX type, -   the remote unit size is approximately H 70 mm×D 200 mm×W 240 mm, -   the encrypted tunnel connection over a public network is made     indirectly from the remote unit, the remote unit being connected to     a local network and an equipment for interconnection to the public     network being connected to said local network, -   the encrypted tunnel connection over a public network is made     directly from the remote unit, with either an equipment for     interconnection to the public network arranged between the computer     network input/output of the remote unit and the public network, or     the equipment for interconnection to the public network is     incorporated to the remote unit, -   the equipment for interconnection to the public network is     incorporated to the remote unit and the computer network     input/output of the remote unit is omitted, -   the equipment for interconnection to the public network is     incorporated to the remote unit and the computer network     input/output of the remote unit is present, which allows the remote     unit to be used either in direct or indirect mode over the public     network, -   the equipment for interconnection to the public network is of the     wire or radio type, -   the encrypted tunnel connection is of the SSL VPN type (“Secure     Sockets Layer Virtual Private Network”), -   the encryption over the encrypted tunnel connection is a double     encryption: SSTP (“Secured Socket Tunneling Protocol”) and RDP     (“Remote Desktop Protocol”), -   the operating system of the remote station is chosen among the     products of the WINDOWS© family, -   the remote unit further comprises a firewall, which protects it from     the host local network, -   the display comprises a liquid crystal alphanumerical display, -   the liquid crystal alphanumerical display is of the “1 line 16     characters” type, -   the liquid crystal alphanumerical display is of the “2 lines 16     characters” type, -   the set of keys is a reduced set of less than 7 keys, -   the remote unit is power supplied by a supply source external to the     unit, -   the supply source external to the unit is a mains supply, -   the centralized computer means further comprises a firewall over the     encrypted tunnel connection, -   the firewall inhibits any outbound connection from the centralized     computer means, -   the centralized computer means comprises a SSTP (“Secured Socket     Tunneling Protocol”) server of a SSL (“Secure Sockets Layer”) tunnel     connection, at least one processing server comprising the     confidential data, one security management server, said servers of     the centralized computer means being located on a dedicated local     network, -   the centralized computer means further comprises a disk backup     server on the dedicated local network, -   said servers of the centralized computer means are physically one or     several computer devices; indeed, the functions of the distinct     servers may be separated or grouped in one or several computer     devices such as a physical computer, a physical microcomputer, a     physical server, -   the security management server acts as a certificate manager, a     domain controller, a controller for security policy of the remote     unit(s), for supervision and repudiation thereof, -   the identification means are chosen among one or several of the     following means: smart card reader, biometric reader, fingerprint     reader, -   one identification means is a password.

The invention also relates to a remote unit to be implemented in a computer system for accessing confidential data by means of at least one remote unit used by a user, the data being stored in a secured centralized computer means comprising means for processing said data, intended for producing results, a computer connection being established between said remote unit and the centralized computer means, the remote unit being a microcomputer operating under the dependency of a local operating system starting by a boot phase, said unit having one or several of the characteristics described and, in particular, being such that it is specially adapted to the system of the invention and it allows that the computer connection is an encrypted tunnel connection over a public network and that said unit is not operable if the computer connection is not established, the encrypted tunnel connection allowing the logical integration of the remote unit into the centralized computer means, in order that said remote unit can only be remotely administered, the microcomputer of the remote station being in the form of an electronic card that further comprises an encryption electronic circuit, the operating system as well as the information required for the operation of said remote unit being stored in encrypted form in said remote unit, and said remote unit is consisted of a sealed unit containing the electronic card and inputs/outputs, including one identification means input/output connected to at least one user identification means, and one computer network input/output intended for the encrypted tunnel connection.

The invention will be better understood thanks to the following description, which relates to a preferred embodiment, given by way of non-limitative example, and explained by reference to the appended drawing, in which FIG. 1 schematically shows the general architecture of the system.

In the embodiment described hereinafter, it is referred to the case of a research environment in which the user is a researcher who has to remotely access the confidential data stored in a secured center comprising a server of said data. Within such context, the remote unit constitutes a terminal on which the researcher works.

This remote unit, which is in the form of a small-size unit comprising a microcomputer electronic card, is physically and functionally secured against non-compliant and non-authorized uses. Such security means are notably physical and/or logical locking of the external ports not intended for the operation of the system. For example, a possible series RS232 or parallel port of the electronic card is not connected to its connector or the connector is omitted or is hidden/made unusable. It will be noted that, as any input/output of the microcomputer, the locking may also be a logical/software locking: the port(s) in question have no pilot(s) in the operating system of the remote unit or the pilot is deactivated. The unit is also physically protected against intrusions by its structure (mechanical strength, absence of opening in some parts of the unit . . . ), its mode of assembly (use of security screws), intrusion detection by an electric contactor, by a photoelectric cell . . .

Moreover, for the establishment of the encrypted tunnel connection between the users remote unit and the secured center with its data server, the boot sequence is pre-established by previously programming the remote station. Furthermore, the local operating system is locked and the information memorized in the remote station's unit, programs or local data, is stored in an encrypted form.

The remote station is thus a restrained stand-alone unit integrating its own operating system (Windows Vista© in this example). This unit is protected from the host local network by an integrated firewall and the USB© ports thereof are restricted to the software-authorized peripherals through the centralized administration device, which is installed at the unit's boot-up.

To use his remote unit, the researcher must open a session therein, which can be done only through authentication using an identification means, which is herein a smart card containing a valid certificate, a pin-code access, and which is read by a reader connected to the station by a USB connection. In a preferred embodiment, a biometric sensor is also implemented for the researchers authentication, preferably of the fingerprint reader type.

Generally, as for the users, an adequate training of the users relating to the system is preferable and the first connection of the remote station is preferably made under the control of the system manager, which allows an initialization of the smart card pin code and a fingerprinting in case such a sensor is implemented.

Once the session is open on the remote station, a program of access to the confidential data server of the secured centralized computer means runs so as to create the encrypted tunnel computer connection over a public network, for example INTERNET©, and this is the only one program that can run after a session opening. Consequently, the user sees and can use only one program, predefined in advance. A utility software of the remote unit monitors the activity of the researcher (notably keystrokes) and, when it detects an absence of activity during a determined time (an automatically incrementing inactivity-time counter is reset at each action of the researcher), it closes the session that was open and/or gives the possibility during a determined time to the researcher to performs an action that reset the inactivity-time counter. In such a manner, if the researcher forgets to close his session at the end of his work, the session will be automatically closed, which will limit the risks of use of the remote station by a third-party person once the researcher is gone. In a preferred embodiment, a particular utility program will ask the remote unit's user a biometric authentication at regular time intervals, in order to always be sure of the users real identity.

For the creation of the encrypted tunnel connection, all the elements of information for the network connection are available and encrypted in the mass memory of the remote station. Indeed, the microcomputer electronic card, referred to as motherboard, of the remote unit comprises an encryption chip and the encryption key(s) used are stored in the remote unit, also in encrypted form. By construction, no confidential data of the secured centralized computer means is transferred and stored in the remote station; only screen copies or display instructions are sent to the remote station by the central secured server containing the confidential data. All the exchanges between the remote station and the central secured server are made through the public network, INTERNET© in the present example, and an end-to-end encrypted communication system, an encrypted tunnel, has been installed. Moreover, only the remote units that are physically located in establishments identified by their network address can reach, within the secured centralized computer network, the central secured server containing the confidential data.

Still for security reasons, the system has been designed so as to make it possible to remotely perform all the management, monitoring, software and security update operations of each remote station. It also makes it possible to centrally authorize or repudiate (on the secured centralized computer means side) a remote station or a given certificate.

The remote unit may be integrated into any computer environment and local network of the user/researcher's location. For that reason, it is preferable that the configuration of this computer environment and this local network is known so as to efficiently manage the security of accesses by the secured centralized computer means that comprises the confidential data server.

The connection between the remote station and the secured centralized computer means is performed in to steps. Firstly, on the remote unit side, the insertion of the smart card into the card reader, coupled with the biometric identification (fingerprint) and a password, make it possible to open a local session on the remote station. Once open, the local session allows the researcher, in a second time, to connect to the secured centralized computer means and to open therein a central session (for example, using the same password). The identification allowed by the smart card is required for opening the two sessions. It is to be noted that removing the card from the reader closes only the local session, leaving the central session active; the latter is found in the state in which it has been left by re-opening the local session on the remote station, i.e. by re-inserting the smart card into the reader and the biometric identification and by giving again the password. To disconnect from the central session, it is just required to close it. It is to be noted that, like for the remote station, an inactivity detection may optionally be implemented, at the secured centralized computer means, to close after a determined time any session started by a remote station and on which no activity has occurred in the centralized computer means.

The above description related to the remote station used by the users to access the confidential data. The following description will now relate to the secured centralized computer means that stores the confidential data and that comprises means for processing said data.

The secured centralized computer means comprises a secured server to which the researchers remotely connect to work. Typically, this server has four processors, 28 Go of random access memory, a 1.7 To ultrafast hard disk. It is moreover highly upgradable (possibility to add memory and processors if required and possibility of clustering). It has a Windows© interface, with the software programs commonly used for statistical data processing.

In order to further increase the security, a used is defined by the couple [identifier, project], which has for consequence that a same researcher working on two projects will not have access to the data of the two projects within the same session. Likewise, the working spaces containing the data files of each project are isolated from each other. On the one hand, the access authorizations for each project are perfectly defined. And, on the other hand, it is imperative to avoid information and/or resource (data, programs . . . ) sharing, in order to ensure, for example, that no temporary table of a project can be accessed by the members of another project.

Still in the secured centralized computer means, a backup server makes it possible to perform a disk backup of all the system configurations and all the researcher works. It is to be noted that the backup solution based on magnetic tapes has not been chosen to as to avoid any dissemination of these tapes and of the data contain therein.

It is also to be noted that, to further increase the security, any entry and/or exit related to confidential data in the secured centralized computer means can be done only manually by physical displacement of an operator to the site and even, preferably, in the secured local that contains the secured centralized computer means. Generally, any entry of information (data of any format, source programs . . . ) into the secured centralized computer means is made under the control of an administrator of the system.

Typically, the users/researchers have access to:

the confidential data to which they must have access within the framework of their project and which are stored in a specific directory (“SA-Sources”);

a space intended for accommodating the intermediate files created within the framework of their projects: programs, database, texts, etc. This space is accessible within a specific directory (“EA-Projects”), and more particularly, within a directory whose name is the “short name” of the project of research and that is written on their smart card. Within each directory, each researcher taking part to the project has a sub-directory whose name is his own researcher “short name”.

The projects are thus isolated from each other. The researchers attached to other projects cannot access any of the corresponding sub-spaces and the researchers working together on a project cannot access the personal sub-spaces each other, but have all access to the root directory of their project, in which they can place files and create shared directories. The data administrators also have no access to the researchers' work spaces. The researchers may work within the secured centralized computer means from their remote stations, using these spaces, these files and the available software programs. However, the researchers cannot autonomously export anything, neither on a printer nor in an external file, and they can neither do “copy/cut/paste” operations.

Therefore, the researchers can export only the results compliant with the statistical secret, i.e. results that do not make it possible to access the individual confidential data, and they can thus not export identification information, neither direct nor indirect, for example of one person or one company, and which are stored in the central server.

In a particular embodiment, the exportation device is configured as followed:

the researchers build in their personal space the “object” they want to export in a file, making sure that this object is perfectly compliant with the statistical secret, and they complement this object with a short documentation describing it in another file;

the researchers deposit these two files in an “Exit” directory that is not accessible for reading by the researchers, as in a ballot box: it is possible to make a deposit, but it is not possible to make a read or a modification once the deposit performed;

the researchers send a message to a data administration service of the system, signaling the exit request. A data administrator of the system then examines the “objects” contained in said exit directory. If the data are actually compliant with the statistic secret, he transfers them to a “Departure” directory that is not accessible by the researchers and a copy of the “object” is simultaneously archived.

computer specialists physically transfer the “objects” from the “Departure” directory to an account that is located outside the secured centralized computer means and, once this operation is performed, these “objects” are sent by electronic messaging to their recipients.

As for the information that may be imported by the users into the secured centralized computer means, only “inactive/non-executable” objects (no executable object) or programs of a documented given type can be imported. The importation is made under the control of an administrator to whom the researchers send by electronic messaging the “object” in question and a description of each file. After checking, the researcher is informed of the importation and he finds his files in the specific directory of the secured centralized computer means to which he has access.

FIG. 1 shows the general architecture of the system. On the left of FIG. 1 is shown what concerns the user with his remote unit 1 comprising the remote unit 4 to which is connected by USB© connection a keyboard (not shown), smartcard and biometrical readers 6, as well as a visualization screen 5. A pointing means (not shown) may also by connected by USB© connection to the unit. The unit 4 contains only one locked operation system VISTA© and the whole connection information is encrypted. This unit 4 is connected to a local network 7 of the ETHERNET© type, connected to a terminal equipment 8 for connection to an INTERNET© network 2. Therefore, in this example, the encrypted tunnel connection over INTERNET© is made indirectly from the unit, with the computer network input/output of the remote station connected to a local network having an access to the INTERNET© network. The establishment in which the remote unit 1 is located has an IP address. Over the INTERNET© network 2, between the secured centralized computer means and the remote station, no data is carried in clear text and all the data are doubly encrypted (SSTP, RDP) in the encrypted tunnel.

On the right of FIG. 1 is shown what concerns the secured centralized computer means 3, in which are stored the confidential data. A firewall 9 is arranged at the interface with the secured centralized computer means over the INTERNET© network 2 on which a SSL VPN encrypted tunnel connection is established between the remote station and the secured centralized computer means 3. The latter comprises one application server 11 SECHPC01 for storage and secured processing of the confidential data, one security management server 12, one backup server DPM 2007 and one SSTP communication server for the SSL tunnel. This set of servers is located on a dedicated local network within the establishment in which the secured centralized computer means 3 is located. Over this dedicated local network, confidential data can preferably only be introduced/extracted (input/output) manually by an operator. The firewall 9 authorizes only entry of encrypted flows coming from registered and authorized establishments having remote units. No outbound connection is authorized, and only screen copies or display instructions are sent back from the secured centralized computer means to the remote units. No confidential data can exit from the secured centralized computer mean 3.

It is to be understood that the invention can be adapted according to many other possibilities without thereby departing from the framework defined by the description and the claims. Finally, the protected names cited in the present document belong to their respective owners. 

1. A computer system for accessing confidential data by means of at least one remote unit (4) used by a user, the data being stored in a secured centralized computer means (3) comprising means for processing said data, intended for producing results, an encrypted tunnel computer connection (2) over a public network being established between said remote unit and the centralized computer means, the remote unit being a microcomputer operating under the dependency of a local operating system starting by a boot phase, the system being configured in such a manner that, when data are accessed, said remote unit receives only display information related to the process carried out on the data and produced by the centralized computer means, characterized in that the remote unit (4) comprises operating means that does not allow said operation in the absence of the encrypted tunnel computer connection between said remote unit and the centralized computer means, and in that the remote unit (4) comprises means allowing the administration thereof only remotely from the centralized computer means, the system comprising means so that the remote unit is logically integrated to the centralized computer means once the encrypted tunnel computer connection established, in order to allow said only remote administration of said remote unit and said operation of said remote unit after establishment of the encrypted tunnel computer connection, the microcomputer of the remote station being in the form of an electronic card that further comprises an encryption electronic circuit, the operating system as well as the information required for the operation of said remote unit being stored in encrypted form in said remote unit, and in that said remote unit is consisted of a sealed unit containing the electronic card and inputs/outputs, including one identification means input/output (6) connected to at least one user identification means, and one computer network input/output (7) intended for the encrypted tunnel connection.
 2. A system according to claim 1, characterized in that the remote unit further comprises a local configuration means accessible and visible by the user, said local configuration means comprising a display and a set of keys arranged in the unit and allowing an on-site configuration of local parameters.
 3. A system according to claim 1, characterized in that the encrypted tunnel connection over a public network is made indirectly from the remote unit, the remote unit being connected to a local network and an equipment for interconnection to the public network being connected to said local network.
 4. A system according to claim 1, characterized in that the encrypted tunnel connection over a public network is made directly from the remote unit, with either an equipment for interconnection to the public network arranged between the computer network input/output of the remote unit and the public network, or the equipment for interconnection to the public network is incorporated to the remote unit.
 5. A system according to claim 2, characterized in that the display comprises a liquid crystal alphanumerical display, the set of keys being a reduced set of less than 7 keys.
 6. A system according to claim 1, characterized in that the centralized computer means further comprises a firewall (9) over the encrypted tunnel connection.
 7. A system according to claim 1, characterized in that the centralized computer means comprises an SSTP server of a SSL tunnel connection, at least one application server comprising the confidential data, one security management server, said servers of the centralized computer means being located on a dedicated local network.
 8. A system according to claim 7, characterized in that the centralized computer network further comprises a backup server on the dedicated local network.
 9. A system according to claim 1, characterized in that the identification means are chosen among one or several of the following means: smart card reader, biometric reader, fingerprint reader.
 10. A remote unit to be implemented in a computer system for accessing confidential data by means of at least one remote unit (4) used by a user, the data being stored in a secured centralized computer means (3) comprising means for processing said data, intended for producing results, an encrypted tunnel computer connection (2) over a public network being established between said remote unit and the centralized computer means, the remote unit being a microcomputer operating under the dependency of a local operating system starting by a boot phase, characterized in that it is specially adapted to the system of claim 1, and in that it comprises operating means that does not allow said operation in the absence of the encrypted tunnel computer connection between said remote unit and the centralized computer means, the encrypted tunnel computer connection allowing the logical integration of the remote unit into the centralized computer means, and in that it comprises means allowing the administration thereof only remotely from the centralized computer means, the microcomputer of the remote station being in the form of an electronic card that further comprises an encryption electronic circuit, the operating system as well as the information required for the operation of said remote unit being stored in encrypted form in said remote unit, and in that said remote unit is consisted of a sealed unit containing the electronic card and inputs/outputs, including one identification means input/output (6) connected to at least one user identification means, and one computer network input/output (7) intended for the encrypted tunnel connection.
 11. A system according to claim 2, characterized in that the encrypted tunnel connection over a public network is made indirectly from the remote unit, the remote unit being connected to a local network and an equipment for interconnection to the public network being connected to said local network.
 12. A system according to claim 2, characterized in that the encrypted tunnel connection over a public network is made directly from the remote unit, with either an equipment for interconnection to the public network arranged between the computer network input/output of the remote unit and the public network, or the equipment for interconnection to the public network is incorporated to the remote unit.
 13. A system according to claim 3, characterized in that the display comprises a liquid crystal alphanumerical display, the set of keys being a reduced set of less than 7 keys.
 14. A system according to claim 4, characterized in that the display comprises a liquid crystal alphanumerical display, the set of keys being a reduced set of less than 7 keys. 